httpmw: pass systemCtx to getAgentSubject, add OwnerID to workspace agent scopes

johnstcn · johnstcn · commit 21d0f97d6610 · 2023-01-31T14:59:34.000Z
diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -65,7 +65,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				return
 			}
 
-			subject, err := getAgentSubject(ctx, db, agent)
+			subject, err := getAgentSubject(systemCtx, db, agent)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 					Message: "Internal error fetching workspace agent.",
@@ -107,6 +107,6 @@ func getAgentSubject(ctx context.Context, db database.Store, agent database.Work
 		ID:     user.ID.String(),
 		Roles:  rbac.RoleNames(roles.Roles),
 		Groups: roles.Groups,
-		Scope:  rbac.WorkspaceAgentScope(workspace.ID),
+		Scope:  rbac.WorkspaceAgentScope(workspace.ID, user.ID),
 	}, nil
 }
diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go
@@ -43,7 +43,7 @@ func (s Scope) Name() string {
 	return s.Role.Name
 }
 
-func WorkspaceAgentScope(workspaceID uuid.UUID) Scope {
+func WorkspaceAgentScope(workspaceID, ownerID uuid.UUID) Scope {
 	allScope, err := ScopeAll.Expand()
 	if err != nil {
 		panic("failed to expand scope all, this should never happen")
@@ -57,6 +57,7 @@ func WorkspaceAgentScope(workspaceID uuid.UUID) Scope {
 		// This prevents the agent from being able to access any other resource.
 		AllowIDList: []string{
 			workspaceID.String(),
+			ownerID.String(),
 		},
 	}
 }
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -80,8 +80,8 @@ func (api *API) workspaceAgent(rw http.ResponseWriter, r *http.Request) {
 // @Success 200 {object} agentsdk.Metadata
 // @Router /workspaceagents/me/metadata [get]
 func (api *API) workspaceAgentMetadata(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
 	workspaceAgent := httpmw.WorkspaceAgent(r)
+	ctx := r.Context()
 	apiAgent, err := convertWorkspaceAgent(api.DERPMap, *api.TailnetCoordinator.Load(), workspaceAgent, nil, api.AgentInactiveDisconnectTimeout, api.DeploymentConfig.AgentFallbackTroubleshootingURL.Value)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func (s Scope) Name() string {`
`43`	`43`	`return s.Role.Name`
`44`	`44`	`}`
`45`	`45`
`46`		`-func WorkspaceAgentScope(workspaceID uuid.UUID) Scope {`
	`46`	`+func WorkspaceAgentScope(workspaceID, ownerID uuid.UUID) Scope {`
`47`	`47`	`allScope, err := ScopeAll.Expand()`
`48`	`48`	`if err != nil {`
`49`	`49`	`panic("failed to expand scope all, this should never happen")`
`@@ -57,6 +57,7 @@ func WorkspaceAgentScope(workspaceID uuid.UUID) Scope {`
`57`	`57`	`// This prevents the agent from being able to access any other resource.`
`58`	`58`	`AllowIDList: []string{`
`59`	`59`	`workspaceID.String(),`
	`60`	`+ ownerID.String(),`
`60`	`61`	`},`
`61`	`62`	`}`
`62`	`63`	`}`